Fixing Unvalidated Redirects and Forwards in JAVA

Posted by on March 22, 2014 1 Comment

Note: This post is part of our series on “How to Fix Unvalidated Redirects and Forwards“. The series contains examples on how to fix unvalidated redirects and forwards in various programming languages.

The following code will allow you prevent unvalidated redirects and Fowards in JAVA

<%
	String redirectURL = "http://www.example.com/";
	response.sendRedirect(redirectURL);
	return;
%>

Fixing Unvalidated Redirects and Forwards in PHP

Posted by on March 22, 2014 1 Comment

Note: This post is part of our series on “How to Fix Unvalidated Redirects and Forwards“. The series contains examples on how to fix unvalidated redirects and forwards in various programming languages.

 

The following code will allow you prevent unvalidated redirects and Fowards in PHP

<!--?php 	header('Location:  destination.php'); 	exit(); ?-->

Fixing Cross-site Scripting in PHP

Posted by on December 27, 2012 1 Comment

Note: This post is part of our series on “How to Fix Cross-site Scripting Vulnerabilities“. The series contains examples on how to fix Cross-site Scripting Vulnerabilities in various programming languages.

“Htmlspecialchars” Convert special characters to HTML entities

<?php
$name = htmlspecialchars($_POST['name'], ENT_QUOTES);
echo $name;
?>

Fixing Insecure Cryptographic Storage in PHP

Posted by on December 27, 2012 1 Comment

Note: This post is part of our series on “How to Fix Insecure Cryptographic Storage“. The series contains examples on how to implementing secure cryptography in various programming languages.

As seen below using the following code we can encrypt sensitive values such as passwords in PHP

<?php
    //Registration
    $salt = sha1(getRandomSalt());
    $password = sha1($salt,'user_password');
    // Insert into database
?>

Fixing Unvalidated Redirects and Forwards in ASP.NET

Posted by on May 2, 2012 1 Comment

Note: This post is part of our series on “How to Fix Unvalidated Redirects and Forwards“. The series contains examples on how to fix unvalidated redirects and forwards in various programming languages.

The following code will allow you prevent unvalidated redirects and Fowards in ASP.NET

<%@ Page Language="C#" %>
<script runat="server">

    private void Page_Load(object sender, EventArgs e)
    {
        // Check whether the browser remains
        // connected to the server.
        if (Response.IsClientConnected)
        {
            // If still connected, redirect
            // to another page.
            Response.Redirect("Page2CS.aspx", false);
        }
        else
        {
            // If the browser is not connected
            // stop all response processing.
            Response.End();
        }
    }

</script>
<html>
<head>
</head>
<body>
    <form runat="server">
    </form>
</body>
</html>

Fixing Insecure Cryptographic Storage in ASP.NET

Posted by on May 2, 2012 1 Comment

Note: This post is part of our series on “How to Fix Insecure Cryptographic Storage“. The series contains examples on how to implementing secure cryptography in various programming languages.

As seen below using the following code we can encrypt sensitive values such as passwords in ASP.NET

protected string MySHA512( )
    {
        SHA512 sha512 = new System.Security.Cryptography.SHA512Managed();
        byte[] sha512Bytes = System.Text.Encoding.Default.GetBytes("PasswordToBeEncrypted");
        byte[] cryString = sha512.ComputeHash(sha512Bytes);
        string sha512Str = string.Empty;
        for (int i = 0; i < cryString.Length; i++)
        {
            sha512Str += cryString[i].ToString("X");
        }
        return sha512Str;
    }

Fixing Insecure Cryptographic Storage in Java

Posted by on May 1, 2012 1 Comment

Note: This post is part of our series on “How to Fix Insecure Cryptographic Storage“. The series contains examples on how to implementing secure cryptography in various programming languages.

As seen below using the following code we can encrypt sensitive values such as passwords by encrypting and then adding salt to it.

import java.security.MessageDigest;

  public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException {
       MessageDigest digest = MessageDigest.getInstance("SHA-256");
       digest.reset();
       digest.update(salt);
       return digest.digest(password.getBytes("UTF-8"));
 }

Fixing SQL Injection in Hibernate

Posted by on May 1, 2012 0 Comment

Note: This post is part of our series on “How to Fix SQL Injection Vulnerabilities“. The series contains examples on how to fix SQL Injection Vulnerabilities in various programming languages.

An SQL Injection attack is a code injection attack when input from an attacker reaches one of your databases without any filteration or validation. As a result, a malicious user can execute Read / Write / Delete / Update query in your database. In addition to this he can also run system level commands. The following example shows how SQL Injection can be prevented by in Hibernate

Subscription sub = (Subscription) sessionFactory.getCurrentSession()
 .createQuery("from Subscription sub where sub.verification = :verification")
 .setString("verification", verification)
 .uniqueResult();

Fixing Cross-site Scripting in Spring MVC

Posted by on May 1, 2012 3 Comments

In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

Add to the web.xml file to apply the filter globaly:

        <context-param>
            <param-name>defaultHtmlEscape</param-name>
            <param-value>true</param-value>
        </context-param>

At page level, it is defined as a tag-declaration. The code is:

<spring:htmlEscape defaultHtmlEscape="true" />